As we work to bring even more value to our audience, we’ve made important changes for those who receive Ad Age with our compliments. As of November 15, 2016 we will no longer be offering full digital access to AdAge.com. However, we will continue to send you our industry-leading print issues focused on providing you with what you need to know to succeed.

If you’d like to continue your unlimited access to AdAge.com, we invite you to become a paid subscriber. Get the news, insights and tools that help you stay on top of what’s next.

FTC Fines Social-Game Developer RockYou $250K for Leaking Kids' Data

Agency Urges Congress to Give It Broader Authority to Impose Fines for Breaches

The Federal Trade Commission has imposed a $250,000 civil penalty on the social-game developer and ad network RockYou for a data-security breach that leaked information about 32 million users.

The complaint said RockYou violated several provisions of the Children's Online Privacy Protection Act (legislation giving the FTC much of its enforcement teeth in the realm of online privacy) and focuses on the leak of email addresses and passwords from 179,000 children specifically, though the breach was more pervasive.

The action comes on the heels of the FTC's release yesterday of its final privacy report, in which data security was front and center. The report urged Congress to enact a mandate that data brokers trading in personal information such as names, emails and purchase history give internet users access to their digital file. It also called for Congress to authorize the FTC to seek civil penalties for data-security violations and breaches, which would broaden its enforcement power beyond the relatively narrow scope of COPPA.

Related Stories

The complaint states that RockYou operated a site people used to build slide shows out of their photos. Email addresses and email passwords were required to save their work, and the site was subsequently hacked.

According to the complaint, RockYou violated COPPA first by enabling children to create personal profiles and publish shareable personal information without requiring parental consent, even though it asked users for their date of birth. It also says that RockYou didn't spell out its policies for using children's data or adequately protect that data once it was obtained.

In addition to the $250,000 penalty against RockYou, the complaint bars the company from future deceptive claims regarding data security and requires it to implement a data-security program and submit it to review by third-party auditors every other year for 20 years.

The stiff financial penalty in this case makes it different from the FTC's settlement with Facebook in November and with Google a year ago, when the companies were found to have deceived users about privacy policies but no civil penalties were imposed. (Facebook and Google were also subjected to third-party auditing for 20 years, though.)

RockYou didn't respond to a request for comment.

Update:
RockYou provided the following statement on the settlement.

RockYou is pleased to reach a settlement and gratified to put this matter behind us. We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout. The events that led to this complaint occurred over two years ago, and we have long since removed the features that led to this investigation. The focus of our business has evolved -- we no longer operate applications such as those included in the complaint, and we are in full compliance with Facebook's policies.